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Letine present you withthe new issU"0F8SD 
‘magazine: The fevitabilty of IP. 


Westart with Michael Shirk, and his article about 
Configuring a FreeBSD Stealth Logging Server and 
news about FreeNAS™ Version 0. release, 


‘As always you will also find news from Dragonfly8sD 
brough by Justin C. Sherri 


This month’s How Tos include anather part of GIS 
series written by Rob’Sommervile, and two ONMP 
articles from Toby Richards. They are followed by 
Jasper Lievisse Adriaanese LibGTop article a brief 
introduction to this handy library. 


You will also find apiece of advice in protecting 
from DDoS attacks given by Stavros N. Shaeles —in 
Security section ofthe magazine, 


Inthe end we present the cover story (or stories) 
of the isse -nevitablty of IPv6 written by Paul 
‘Ammann ~two articles which will convince you that 
‘switch to IPv6 is Inevitable. 


We all hope you will enjoy the reading and find it 
informative - make sure to make it before November 
issue hits! 
Yours, 
Zbigniew Puchcitish 
Edis 
heinshi@sotware.com 
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(06 08 iXsystems Announces Release of 
FreeNAS™ Version 8.0.1 
Josh Pactzel 
Roloase features backend changes and bugtites as wel 
‘a now font end user features 








08 Configuring a FreeBSD Stealth Logging 
Server 


‘Michael Shirk. 
‘The collection af og fos provides security administrators 
withthe ability to have an audit ral forthe behavior of 
an information system. In the event that a systom is 
compromised, remote logging provides a forensic tral to 
<elermine what accurred onthe system. 


Developers Corner 


412 DragonflyBSD news: Recovering data 
with hammer 
Justin €. Sherrill 
Ws been a while since we had @ straightforward news 
repot for DragonFly: the time since then has been filed 
vith reports on Hammer and bulk kre bulls. 


How Tos 


414 Using Openmaps data with Geoserver 
Rob Somerville 

In this ariele In our GIS series, we wil examine 

how to import Openmaps data. Open Steet Map 

(epenstreetmap ora) founded in July 2004 by Stove 

Coast, is @ treasure ove of worldwide street maps 

avaiable under the Creative Commons licence. 


20 ONMP on OpenBSD 4.9 
‘Toby Richards 

COpenBS0 is my BSD of choice. In fact itis my OS of 

choice wherever possiie. | alvays challenge thase who 

alisagree with me to name anather OS wih a similar rack 

recon for secunty 


14 OSSEC on OpenBSD (ONMP) 4.9 
‘Toby Richards 

itis worth Saying up font that these instructions assume 

that you're running Noinx compiled from source vice 

‘Apache or Nain rom Pats or Packages. 





Tips & Tricks 


26 Taking a Peek Under the Hood Without 
Compromising Security - LibGTop and 
OpenBSD 
Jasper Lievisse Adriaanse 

LinGTop allows developers to peek under the hoad af the 

termel and export ots of system daa in a convenient and 

easy 1 use bray. 


Security 
Protecting Apache From Dos And Ddos 
bas la 


Stavros N. Shaeles 
OS (Denial of Service) or DOOS(Distributed Denial 
fof Service), iis an altack where multiple compromised 
systems (which are usually infected with a Trojan) are 
Used to target 2 singla systom in attempt to make the 
system resaurees(cpu, memory.network) unavalable to its 
Intended users and causing system to crash. 


IPv6 


‘3G The inevitability of IPv6, Part 1 
Paul Ammann 

‘A switch from IP to IPVS is on your horizon. Are you 

racy fr? 


42 The inevitability of IPv6, Part 2 
Paul Ammann 

Configure IPVE In your network ~ even if your rouling 

Infrastructure doasn't yat support 
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iXsystems Announces Release 
of FreeNAS™ Version 8.0.1 


Release features back end changes and bugfixes, 
as well as new front end user features 


fof FraeNAS™ Version 80.1. FreeNAS™ 2.0.1 

represents @ major leap In functonalty and 
stabil for FreeAS™ 8, Features added to FrooNAS™ 
inthe 80.1 branch include SMART. and UPS services, 
USE 5.0 suppor, and OSX Lion AFP and Time Machine 
‘compatbiliy. In addin, cronjob support and rsync have 
‘been acted tothe GUI, and replication has been improved 
for increased data intaghiy 

In addition to the many back end changes and 
bugtnes, FreeNAS™ 8.0.1 also includes new front end 
tse features. Anew stoplight icon in the top right of the 
{GU functions as an alert systom, keaping administrators 
in tune with the overall heath of thee installation. This 
icon is visible from every page of the GUI. and will 
change color in keeping with the condition ofthe system 
‘a indicated by the alert messages. Clicking the icon 
brings up a dialogue outlining which messages have 
keyed the alert. 

The stoplight system wil be most noticeable to new 
Users and administrators booting a fresh install AS of 
8.0.1, FreeNAS™ no longer has a default password, 
which wall cause the alert ight to flash red until one is 
‘added. This has the added secunty benwft of blocking 
‘SSH or root shell access untl a root password is set by 
the administrator. The GUI alo now includes a checkbox 
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T he FreeNAS™ Team has annaunced the release 





to set the root user shell password fo be the same as the 
WebGUI administrators password, if desired 

13.01 includes another less immediately obvious, but 
til notable update — the ZFS deletion system now 
factually functions as a volume export ull. "Deleted" 
ZFS volumes can be added through the volume importer 
Lunt tha member disks are eventually reused in another 
volume. For he securiy-consclous, the GUI has an option 
{wipe the disks on deletion rather than leaving ther 
sable, as well as an option to prevent he volume deletion 
from cascading aver and aflacing shares attached to the 
deleted volume 

‘Anather important back and change in B.0.1 is support 
for arbitrary mount points for UFS volumes. The size 
of the FreeNAS™ boot devioe no longer sets a cap on 
the size ofthe var slice, if propery exporiad to another 
storage volume. While this only affects 2 small number 
ff users in specie applications, this is an important 
milestone for users with large amounts of temporary 
dala to cache, such as an Active Director's “users and 
‘groups’ data 

"8.0.1 represents significant advancement towards the 
{goals outed by the curent FraeNAS™ roadmap,” says 
Josh Pastzal, Director of IT at Xeystems. “With all the 
Signficant issues addressed, FreeNAS™ development 
Wil be able to betlr focus on total feature parity with 


naam 






Version 7, rather than just sold completion for existing 
aw features.” 

Eventually with the final release of FreeNAS™ 8.0.1 
<ovelopmant wil shit tothe 8.1 branch, which will add 
third-party plug-in system. The plug-ins wil use a variation 
fon the PBI system pioneared by PC-BSDS. Through 
plugins, FreeNAS™ & will be able to support most of 
all ofthe features that were part of FreeNAS™ 7 (such 
2s BitTorant and UPNP) while keeping the base Install 
Image sim for thase wha only want the core functionality 
of FraeNAS™. Version 8.1 wil alzo feature a supported 
Upgrade path trom FreeNAS™ 7.x 


JOSH PAETZEL 
Jesh Paetzel-A37 year ald advocate use and developer of 85D 
‘Unix boted systems. he resides in Minneopolit, Minnesota USA 
where he hacks an FreeBSD and PCASO, both as avalunteer and 
‘sports tll time work asthe Director of Tat stems 
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The BSD Certification Group Inc. 
{BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 





@ WHAT CERTIFICATIONS ARE AVAILABLE? 


BBSDA: Entry-level certification suited forcanddates 
witha general Unix background and at last ix months of 
experience with BSD ystem= 


[BSDP: Advanced certification fr senor system administrators 
vith atleast three years of experience an BSD systems. 
Successful BSDP candidates are abletodemonstrate 

strong o expert skills in BSD Unk sytem administration, 


© Wwoerecanicercernieie? 


We're pleased toannouncethatafter7 monthsof 
‘negotiations and the work required tomake the exam 
avaliable in acomputer based format that tie 3SDA 
exam snow avaiable at several hundred testing centers 
around the world, Faper based BSDA exams cos $75 USD. 
Computer based SDA exams cost $150 USD, The pice of 
the BSDP examsare yet tobe determined, 


Payments are mado through our regisvaton website: 
etpeegister bedeertification org/iegsterpoyment 


@ WHERE CANI GET MORE INFORMATION? 


‘More Information and inks to ur maiing iss, Linked 
‘groups, and Facebook group ate avalabe at our webste: 
utpe/nnwbadeortifcation org 


Registration for upeoming exam events ovllable at our 
reghstation website: 
ups: iegisterbsdcertineation org/regster/get-o-bsdeg id 


GET STARTED 


Configuring 


a FreeBSD Stealth Logging Server 


The collection of log files provides security administrators 
with the ability to have an audit trail for the behavior 

of an information system. In the event that a system is 
compromised, remote logging provides a forensic trail to 
determine what occurred on the system. 








What you will learn... What you should know... 
+ Aeonbigeaon ou: band emote loging + Basic reesD nowledge toga the command Ine 
+ Bac nowedge ot how pump and sysog work 





T: remote 1g fles malian the intgity of the docs interact withthe network itis montring much 

Criginaleystemogs a the compromised hostcan the an inion detection system, Gece the system 

‘no longer be usted. Going beyond a normal log i= not accassble tothe network, iis nearly mpossbe 

ver which beyond physical access 1o compromise the logging 
systam, 

Syslog has been the slandad or system logging since 

ronanteme ts inception along side sendmail back in the 1980's 

Sree, syslogd is nomally the service sed t handle he sym 

“SEES legging in most “nix based operating systems, Updaled 

servoes Include syslog-ng and rajiog which provide 

finer grained conte over he fg messages. One of he 

‘important features of any syiog daemon Is the abit 

forward log fles lo 2 remote hos. Normaly, a remote 











server isthe configuration ofa stealth log 
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Figure 2 Stet Logger setup on Hub PAN port 


BSD vw20n 














a [TTS 
selene 

= tances 
Mate ine RETO EES RTOT —a) 
ensciiete ews 3] 
toe Mines [omeToE———g 





P cwe cores 
ara 


‘server accepts connections on UDP port 514 and writes Figure 4. Promiscuous Mode Setings n VitualBox 
ut lg les as show below in Figure 1 Intrusion detection and preventions systems in regards 

HY the system was compromised in this case, the fo establishing a separation between the monitoring ang 
‘emote logging server would have a record ofthe systam management network. I is a mistake to have interfaces 
loge before the attacker gained contr! of the system, configured on the same network that is bring mantored 
‘The question is, what happens ifthe logging system due fo the risk of possible exploitation of a vulnerability 
Itself is compromised? This isthe same issue faced by ging access to backdoor the system. One solution is 











ring 7. The flowing steps makes suet emt rfc en promiscuous mode without an adres upon 








sting 2 he lowing the sea logger sepa sell as crn The terface passed the sp. The example interac 
herein! 
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GET STARTED. 











LUnting 3. fun he flowing to addon orate the packet capturing nay hour The example trace wed here ent 














to setup a steal logging server with an interface in 
promiscuous mode to sniff the syslog packals outaf- 
‘and, This shown in Figure 2. 

Because ofthe UDP protocal being connectinloss, the 
destination of the sysiog messages can be ary type of 
‘vice, even a prinler. The promiscuous interface onthe 
stealth log sorver wil recive all of the trafic. An extra 
security step for the paranoid is to disable the transmit 
pair on the Ca6 cable, preventing any chance of the 
server sending packets out. 

In the cate of virtual machines, a FreaBSO VM can be 
{ven an interface with Promiscuous Mode in VMware oF 
‘Virwalbox to allow al ofthe trafic on the virtual swith to 
bbe monitored. Figure 3 gives the example for VMware 

“The fst thing bat needs to be completed is the install 
of FreeBSD. All ofthe sleps listed were performed on 
‘2 Vidual Machine with a FreeBSD minimal install with 
the ports tree (Soe FREEBSDINSTALL for installation 
instructions). Using Vidual@ox, navigate to the Settings 
>Network->Advanced as shown in Figure 4 

Once this has been completed, startup the VM and 
login as root. All of the commands ara to be run with 
‘an administrative account (using sudo if prefered). Run 
tha commands in Listing 1 o enable promiscuous mode 
for the interface to be used. In this exampie, the Stealth 
Logger is connected to an internal nebwork with several 
talher devices on intrace emt 

Listing 2 isa simpa script to log syslog packets on UDP 
514 Into a directory structure based on the yearimonthy 
‘ayhour. Running his in eran hourly wil keep a record for 
feach hour af fog data 

Listing 3 isthe process to add the hourly log rollover for 
tepdump which will erate is @ simple sri to log syslog 
packets on UDP 514 inta a directory stucture based on 
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+" FREEBSDLNSTALL: p/w eebiorgide/handboot/ 
lestal-stareemd 


+ Vilar hiprmnoiralboxory 
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Running this in cron houry wi 
kegp a record for each hour of ag data, 

“The sleath lag server wil continue fo allact any syslog 
lrafc that is seen and log i inl jea/ioy senshi 
(with the default sript settings). Ina later atte, adeiional 
details will be provided for seting un Snara an Microsoft 


‘Windows and yennies 09 her BSD and Lin 
‘operating systems la send Io the lag server. In addition 
to the configuration, parsing tools will be demonstrated to 
tlie the log data. Example ouput from the syslog data 
's dsplayed in Listing 4. this example, the testuser has 
failed to login as oot 


(MICHAEL SHIRK 
Michel Shit @ SO realot who has worked with OpendSD and 
FreeBSD for over 6 years. He works inte security community 
‘and supports Open-Source securty products tht run on 85 
‘operating systems. Me wishes to thank Thamas Conway and J. 
‘Cummings for testing the instructions Inthisartice. 
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covering data wit 
mmer 


‘awhile since we had a straightforward news repo 
onFly; the time since then has been filled with reports on 
mer and bulk pkgsrc builds. 


‘we've managed to cover the 
‘space betwoon releases, since 
last news 
this in BSD. 


<<: Dragon]FlyBSD =: 


DragonFly 
ieved pr 


Wi had 6 projects total, wh 
passing. (One student wont AWOL at 
‘Some ofthe code has made it to DragonFly, 
show upin the 212 release 
ere’ altho finished projects 
report. Im toaly going to use these notes 
the 212 lease notes, a fac + Bring kernel event otiicaton in DragonFWy 
logical conclusion Samuel Groear 


‘equivalent of Linux's libdevmapper, and a 
teplay. This new ulity is compatible wth 
ps0 You can create encrypied volumes, hide 
59 on. See iruecrypter for more details on 





‘Drivers fom NetBSD to DragoaFly 
up DragonFly 88D as a KVM quest 


3, for all patlorms that 
‘including DragonFly. 
binary packages. for 

‘uit to go withthe 2.12 
gh they may not be avaliable 
usually takes several 


(Gol ready fora dression ) 
too that comes with th instal, called 

XS cor. mar 10 the appropriate path on a 
for that system's release version and 
and downloads pkgsre binaries 

“ss. This is very nie for instalation, 
ing installed packages, but changing the 

2s fot DragonFly oa new quately release 


sat, since binary 
exist frit orifbuling from source, use 
"and upgrade using the binary built from 

‘the binary package management 


news, DESTDIR suppor in pkgsrc is almost 

all packages. Support of DESTDIR means 

2s can be installed as nonoot, and the 

‘or 50 stragglers are mostly software no 
by the orginal creators, 


Java users will notice the 1.6 JDK now 
DragonFly, as does OpeniOK7, thanks to 
‘igeot.(OpenJOK is 886 only) 


Hardware support 
“There's been updates for various network card 
hardware in he time between DragonFly 2.10 
cithor original or Brought in from othor BSD. 
‘and Marvell naw have more supported chip 


chip is supported 
DragonFly’ interupt ru 
has been thoroughly 
by Sepherosa Zishau, so newer models that do 
for you with DragonFly 2.10, or did not play 
siffrent ACP! modes, may perform beter. Also, 
ofthe times, support for certain ISA devices was: 


Benchmarks of 2.10 vs. 2.11 
Francois Tigeet ran some disk benchmarks, 
HAMMER on DragonFly 2:10, Hammer 00 Os 
2.11, and ZFS on Openindiana. The ZFS numbers 


JUSTIN C. SHERRILL 





HOWTO'S 


Using Openmaps data 
with Geoserver 


In this article in our GIS series, we will examine how to 


import Openmaps data 


Open Street Map (openstreetmap.org) founded in July 2004 
by Steve Coast, is a treasure trove of worldwide street maps 
available under the Creative Commons licence. 





What you will learn... 





What you should knot 
+ Bac relSD adnsvaton da, PevousreBSD GS tanta 
theses 





+ How treat steetmapso any region ofthe work 
fortunately, some of the maps do not give 
l J complata coverage so consideration should be 
civen ta the suitability of using this data in mission 
crea of production environments. That sai ving in & 
faily emote part ofthe UK Iwas pleasantly surprised by 
the accuracy of the street map, | was expecting many 
more errors than | found, mostly missing street names 
{rom areas well off the beaten track. 
The sheer quantity of map data availabe is enormous 
= the full planet PBF fle is 14Gb which expands to 
> 110Gb when extracted, so unless you have lols of 





Using lst bp 
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storage, bandwidth and ima, # subse ie @ more practical 
‘approach. Weekly updates are avaliable in dif format. 
For this aril, {have used map data for Kentucky, wich 
was a reasonable 220Mb uncompressed. Even that data 
set puchad my Virualbox Geoserver tothe limit as | only 
have a in processor PC with 4GB of RAM. There is an 
‘OSM plugin avaliable for QGIS covered in the previous 
aici, so the map data can be manipulated albeit in 2 
‘rudimentary fashion asthe plugins stilin the early stages 
(of development 

{Asa lt of this code wil not ft easly an a page, | am, 
using the convention ? fo denote a eariage return. 








Figure. Creag the Woapace 


(ified 


Pre-requisites 
You will need a working Gaoserver installation with 
Poslgres / PosiGIS extensions and optionally OGIS 
running in warkstation for editing the map data 


Choosing and downloading your maps 
Vist htp:/downloads loudmade.com and download the 
(OSM map of your choice. Cloudmade also has TomTom 
and Adobe ustator maps avaliable, but we will be using 





ting 3. Sample 0S le 
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tha OSM format for import into Geoserver. Once you 
have downloaded transfer the b22 archives across to the 
Gooserver box using SSH or MC ele. In this example | 
have placed them i the nsia/=o dractony. 


Extracting and converting the files, 
Install b2ip2 using the package manager (Listing 1). 
Extract the archives (Listing 2). Examining the fies we will 
find that they are in standard XML format (Listing 3). 

‘We now need to Install asm2pasal to import the fla into 
Postgres (Listing 4). 

Hf you receive an etrar cancerning the liblaal version, 
you wil ned fo upgrade Hoa! to version 2-4 (Listing 5) 

Create the database in Postgres and make it spatially 
aware (Listing 6) 











‘The next step isthe actual import self. The resuling 
XML files wil be resident inthe OSM database 


(sting 7). 





























Figure apes and publan eho 
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Figure? Polygon and Road aro Reialy 
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Figures Paljon ler forRatacy 
Create the PosIGIS Vactor datastore for the Kentucky 
Workspace (Figure 2, Tablet). 








Figur Le lpr a Rntly aaa) 
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‘Figure 1, Une and Pit layer 02M) 

Geoserver wil now prompt you to publish the layers, 
Publish each layer in urn, computing both bounding boxes 
LatfLon and Native. N.B: I you find thatthe layer preview 
‘seems inaccurate, recalculate bounding box. | fund this 
cured an inaccuracy in the layers. alsa downloaded and 
Imported the Kentucky.osm, but from what can see this is 
the compete set of maps roads andlines etc and dosen't 
‘need tobe loaded, You wil hava to revs the layers and 
‘ad the romaining 3 layers rom Kentucky: OSM Kentucky 
(igure 3-5), 


Layer groups 
If you have lots of processing power at hand, you can 
create a layer group (Figure 6). You may have fo reorder 
the layers accordingly, so the correct layer inn top. On 
‘my VM. I was only able to group together polygon and 
rads before Geoserver gave up after 60 seconds ting 
fo serve the map (Figure 7). While you can adjust the 
time-out value in ei, Maybe | should have 
picked a smallor US stat! 

FRogardless of layer groups, the layers are now ready 
for siying, which was covered in a previous article (Figure 
a1). 

| i finaly manage to got my PC to process the ines 
and points group layer, but | had to add an extra CPU to 
the VM (Figure 12), 


ROB SOMERVILLE 
‘eb Somervilehas been passionately lnvaved wth technology 
both as an amateur and protenional since childhood. A 
pesslonate convert to °8S0, he stubbomly refuses to shave 
Of hs beard under any creumstances. Fortunately, hs wile 
understands hie (ahe was werklag as « System/36 operetor 
when they fest met The technological passions of thelr 
‘deaghter and numerous pets arestilta be revealed. 
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HOWTO'S 


ONMP on OpenBSD 4.9 


OpenBSD is my BSD of choice. In fact, it is my OS of choice 
wherever possible. | always challenge those who disagree 
with me to name another OS with a similar track record for 


security. 





What you will learn.. 
+ How t bull OpensS0/Naie/MySOUPHP (ON server rom 
fre nstaled OpenBSD tem. 


What you should know. 
+ How tse the command ine. 

* How tot emiooment vas, 

+ The dlerence between Open ster Ds 





W ‘Ve all hard of LAMP (Linux Apache MySOL 
PHP), My web server of choice happens to be 
gine, not Apache. My BSD server in the coud 
‘srt vary beoly ifs a VPS with ST2MB RAM, Noin, being 
‘much easier on rasourcas than Anache seams fo be the 
‘best choice for me. Creating an OpenBSD Nginx MySQL 
PHP (ONMP) server was my fist goal upon starting to 
teach myself OpenBSD. 

Before we begin a by-the-numbers trial on creating an 
‘ONMP server, ike to give a plug for my hosting provider: 
‘bsdir-com. Ths isthe only BSD hosting provider that | 
oul find who gives you access tothe VMware console to 
Your server. Tis makes it easy to re-install your OS from 
Serach, and specifically customized for your own needs 





Let’s get started 
Step? 

Lats instal MySOL, wget, PHP (Fast CGN, and several 
core PHP moduies from the packages systom. Users of 
‘other BSD systems wil be appalled that not using the 
ports. Unike certain other BSD's, OpenBSD recammend 
packages over pots. Be sure to have sat your sex ssn 
environment variable: 





Tim tying to run thie as lean as possible, | chase nat 
to (for now) instal the popular (but very large) phpS- 
mbstring which gives PHP unicode support 

At the moment, dont plan on needing to serve up any 
language or symbol that isn included in ASC 


‘Step2 
Fix MySQL & PHP discrepancies 


Step2a 
Create the default databases because po» 
that for you. 


didi eo 





‘Step2b 
Enable the PHP modules. The oficial documentation says 
te make symbolic links. 

| prefer fo copy the fils so that I can always reference 
the aiginal sample fas 


Step 2c 
UUncamment bo te in 





rovzo11 


step3 
install Neinx. Unfortunately, OpenBSD 4.9% PackagerPorts 
system comes wih a pre 0 version of Nginx {dont tke 
‘hal, so Fm going to compile Nginx 1.06 from source: 


Step3a 





step3b 
Install Nginx with OpenSSL in case we want to use 
caticates later 





step 
FRaconcila Open@S0's him rat with Noinx’s. Ngine pute 
‘he himl root at ‘OpenBSD (and tha 
PHP package) expect ‘Theve are many 


‘ways that you might chaos ffi this, but the easiest sto 
simply eeate a symlink 


steps 
Configure Noi for PHP, 


Stepsa 
Uncomment the ftlowing ines in 
except for 





‘Do nat uncomment this ine 


10 uncomment these ties 
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HOWTO'S 








Step sb 
Change = re atten 
step Se 

Insert er a . 
seript suet HL BDOVE fact. pecen sare oes Stet 
Step sd 


‘The Nginx ofa pals page (p/wikinginx. orgs) 
‘Section 1.2 (as of his witing) tls us where to put the 

‘= drecve. Comment aut every instance of + 
and then Insert that recive ust below these ines: 


stepse 
‘The pitfalls page also recommends that we mave theindex 
directive to avoid needing multiple Index directives later. 
Comment out tha line in nt foe : 
lov snub ime ns Ad this madified version athe 
line (which includes isns.rie) ust below the se fine 








steps 
Configure Ngink fo start at boot time. | spent same time 
trying fo figure out how to jail Nginx with chroot couldn 
make it work because it alvays complained of not having 
access to the library files in various /.-/ subfolders that 
itneeded. | suppose that's ok because while the Noinx 
‘master process runs as rat, then Nginx worker process 
runs as natody. Add the following to + (uniike 
wth GNUILInux, ooo. .snt i the ofa way fa start 
‘custom daemons in OpenBSD} 


step7 
Configure PHP-FastCGI to stat at boot time. We can't 
Jall PHP to particular directory. but we can use choot to 
‘make PHP run as nobody. Add his to 3 








Steps 
‘Configure MySQL to start atboottime. | really dont know 
Why, but the dofault scrips fem packages Ins /< 

rit work. Infact. through four re-installatons of OpenBSD 
48, have yet to see any seri fram any package in 

‘os fanetion. Wa need to start everthing ie o-ons 
Instead (even though we're launching MySQL as roo, 


peut ste wil ulomaticaly un as 





Steps 
Let lot jij 2scu! do its magic now. Reboot Then ro- 
Jagan, and gai a root prompt (sudo). 


‘Step 10 
Let give the root user of MySQL a password! 


step 11 
(Check Nginx & PHP. Were going to eraate @ yeni Me 
WARNING! Thisis insecure. Having phinfofioisa security 
‘sk Dont host his fle ina production envronment: 


Now. 


from your laptop oF whatever, go fo b> 
IT you've done everything right $0 
far, then you see a nice web page that tells you all about 
your servers PHP configuration 
‘Congratulations. You have a working and secure ONMP 
server! 


TOBY RICHARDS 
Toby Richards has been a network administrator snc 1997. He 
considers hinseto be aac of ll operating systems, butatve 
‘master of none. He feel this tobe a mastery ts own ight since 
‘he understands peincples that are commen to all operating 
systems. His arties are the product of teaching himself to 
become better with OpenBSD and PC-BSD. He simply wits 
bout what he hes learned most recently. For ahesting provider, 
‘he highly recommends bidvm.com. They give you accesso your 
‘ware cansole so thet you can re-lastll your OS at wil, and 
withthe setings af your own chosing. 
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#a-team systems 


FreeBSD Server Specialists 


Over 15 Years of Professional 
FreeBSD® Experience! 





http://www.ateamsystems.com/ 





Full Server Management 

= Support for Web & DB Servers 
= Troubleshooting 

- OS & Security Updates 

- Encrypted Off-Site Backups 

= Scripting & Automation 


Server Monitoring 

- Custom Tailored Plans 

= 24x7 On Call Available 

~ Performance Trends 

~ Report Email Monitoring 

- Kernel Log & HW Monitoring 


We are aFreeBSD focused shop: 
FreeBSDis not just another bullet point For us! 


HOWTO'S 


OSSEC on OpenBSD 


(ONMP) 4.9 


Itis worth saying up front that these instructions assume 
that you're running Nginx compiled from source vice 
Apache or Nginx from Ports or Packages. 





What you will learn.. 
+ How tharden yur sere ith Hest mus Peet stm 


What you should know. 

+ Commandne 0 

+ An ably te understand base stad. the why ps 
Yoursevercamy_/etmasterpasidis amicus aquest 

+ Adesetora daemon preventmaiious acy 





rye confotale onthe “re command tne 
A= te coly knew howto mexyl gle to 
ti laser pata opera sear & cle 

ol webserver ar 
OSSEC ea ow inion poventon stm (PS). 
Its open source, and sprcired y Tres MH cat 
relly ou when pot es change can emporrly 
{10 mies by Goat) block IP adsessee ete 

tuesionae sate 


+ Try to browse to URLS with. in them, such as 
i ten times Into 
‘minutes or less, 
+ Entor bad username/password combos via SSH ton 
times in two minutes or las, 
+ Invoke fen of more 40x andlor SOx ertars in two 
‘minutes or les, 
+ Lots of ether bad guy activity. 


OSSEC is not necessarily BSD speciic, but since 
‘OpenBS0's primary focus is security, then what can be 
‘mare OpenBSD than even more security? 

(Of course, ll that fen mes in twa minulas or less 
| customizable as wall. The instalation i pretty 
Sraightforward. Download the tarball. Extract it. Run the 
Included instal sh spt Now we have some tweaking to 
a 
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Fst, we need to ect 0 that OSSEC can 
block bac IP acirasees. Ad! the following just under set 
‘ship on lin your fle 





Wordpress Users 
‘Openf'SD's PHP package comes wih something called 
‘Suhsin to harden PHP. One of the things that Suhosin 
prevents Is any PHP script rom changing the maximum 
‘memory sating. A fle in WordPress does tis. We need to 
prevent WordPress rom doing this, or else OSSEC willock 
‘OUR IPadess when waog into WerdPress administration 
Ea es es 

Inmy version of WordPress the ine numbers 109. Yours 
‘may vary. The line that we need to comment out is his 





Now, lets modity the config les to look at Nginx and 
MySQL logs. By defaut this file isn't writable, even by 
‘oot, So shave to change thal 
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Genes 


Now we can elit is 
following lines just above the last line ofthe fl: 


Add the 





Be sure to pul the permissions back the way they were: 
We can restart OSSEC with 
Las, eload your p.cont le 


Now drop from the SSH session on your server ea that 
youre back on your laptop. The folowing command 
‘Issued fom a hos thats not your server should lock you 
‘ut for en minute. This assumes that: 


+ You hac? chosen to whitelist yourself when runing 
instalsh 

+ You enabied Active Response. 

+ You have nmap insted 

* You should also get an 
natfications 





small it you enabled 


(0, we really have to: 





TOBY RICHARDS 
Toby Richards has been a network administrator snc 1997. He 
considers hinselto be jack fll operating systems, butatve 
‘masterof none. He feels this tobe mastryin town ight nce 
‘he understands princples that are common to all operating 
systems. His aties are the product of teaching himself to 
become better with OpenBSD and PC-BSD. He simply wets 
‘bout whet he hes learned most recently. Fr ahosting provider, 
‘he highly recommends badvm.com. They glve you accesso your 
‘Ytware consol 1 that you can re-iatall your OS at wil, and 
wth thesetings af your own chosing. 





RootBSD 


PREMIERE VPS HOSTING 


Latest FreeBSD 
Full Root Access 
Starting at $20/mo 
VPS and Dedicated 


Multiple Datacenter Locations 
Friendly, Knowledgeable Support Staff 


WWW.ROOTBSD.NET 


TIPS AND TRICKS 


Taking a Peek Under 


the Hood 


Without Compromising Security 


LibGTop allows developers to peek under the hood of the 
kernel and export lots of system data in a convenient and 


easy to use library. 





What you will learn 
+ Some Lop itemas 
+ How torte sie appl and sp) wah tebe 
+ Wat eat geting INGTop in shape on OpenBSD 





What you should know... 
+ Bade programing knowledge 
1 Thewoddl not Un/86 





[eG Top (LinGTop manual htp:eveloperaname.or/ 
lbgtop/stabie) fs a Worary used to obtain various 
system states such as CPU and memary usage. 

‘Tis atice is 2 @ brat inraduction to the workings and 

usage of fogtop, as well a description of OpenBSO's 

ogton port and same ofthe challenges invoved. 


What is LibGTop? 
LisGTep fe one of the older tbraries supporting the 
GNOME plationm. It was intially imported inta the 
GNOME source repository as early as May 1998. To 
put this into perspective, libgnome was imported in 
November 1997. Back then LibGTop already supported 
‘several platforms: GNU/Linux, DEC OSFIT and SunOSA, 
‘So fora change twas designed with non-Linux systems 
In mind, This greatly improved portability and as such 
it currenty has backends for fen diferent operating 
systems. The FreeBSD backond was ane of the frst 
new backends to be added in August 1998, and it was 
‘he base for the generic BSD backend that was added 
In 2007. By this time the FreeBSD backend was infostod 
with sco blocks for many ofthe ether BSD's, including 
OpenBSD. 

‘Thus this generic BSD backend has been used by 
NeIBSO, BSDi and OpenBSD, and only recently a 
separate OpenBSD backend was created, as described 
later inthis ate 
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OpenBSD has had a port) (LIbGTop post ti:’ 
‘openparts.se/develibgtop2) of LibGTop since OpenBSD 
3.0 and as such packages are available for al supported 
architectures. This poses various challenges, but it also 
fensures correctness and an even greater degree of 
portability. 

‘A great advantage of LibGTop Is that applcation 
dovelopars need not know on which platform the cod 
{ going to be Used, This allows them to not worry about 
‘SunOS or Linux of BSD specics and focus on what 
‘matters instead, LisGTop abstracts the platform specifics 
away and only exposes the developer lo a wall defined 
and sable APL 


What uses it? 
As part of the GNOME platform there are various 
applications using LibGTop. The most well known 
Would be gnome-system-montor and gnome-netoo. 
‘The applications use LbGTop extensively to rotieve 
CPU, memory disk and filesystem usage. As wll as the 
network interfaces, MAC addresses, ntwork load and 
IP addresses. Apart from the obvious users, there are 
‘many more applications using i in less obvious ways. 
For example baobab from the gnome-utis package used 
UbGTop to rive disk and flasystem statistics. 

‘Also non-GNOME projects such as gDeskels 
(aDeskiets homepage: htp//gdesWets.de/ use LibTop, 
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‘And of course there are many scripts out there that use 
the old Python bindings provided by gnome-python- 
eskiop. Racenty i's also become possible to use the 
Gobject Introspection data, Il elaborate on that later in 
this arte 

“Thanks to the modular design in both the backend and 
frontend, applications can use LibGTap without knowing 
about the undetying operating system or architecture 


How does it work? 
LivGTop's goa! is 19 take information exported by the 
eal to userland, on a host of diferent platforms and 
present them to the caller in a unferm and standard 
way. Ragardless of the envionment and of whether the 
backend for this operating system supports the feature 
the caller requested 

| must say thatthe developers of LibGTop solved this 
problam in a rather elegant and clean way. This allowed 
the ibrary to be successfully ported to (and used an) ten 
diferent operating systems, and a east an equal number 
of ciferent hardware architectures, 

Various backends use aifferant ways of relieving 
the information fram the kernel. For example the Linux 
backend uses the jc. filesystem intensively, even 
though accessing this flesystam is inoffcient and 
slow. 

“The BSD backends mostly use =o) and 3) to 
ralviave the needed information from the kere, Ther 
fare some places where specialized mechanisms are 
Used. For example =r!) gels used swap information, 
itd sarees vn, aerect ype el asec 
Used to relive detalad information about a pracess in 

vs. the OpenBSD backend. 

'AS most of you are probably aware, «= 
commonly use interface to retrieve (and sat) system 
Information on BSD systems. For almost avery call to 











Using Ung bass the Backes make the ates 
row 






































LUbGTop on Linux that backend has to read the correct 
file in ==, parse i got the needed Ines from it then 
do some more sting parsing before having the needed 
value. Noodles to say this Is slow and error prone, and 
Til Taave it as an exercise to tne reader to compare the 
Linus and BSD backends on the level of using ye) 

sent) IS another platform independant way to 
retrieve system varables, though itis only sparsoly used. 
by the ADX and Solaris backends. The OpenBSD backend 
only uses i a got the page size, as POSIX says one 
‘should Nat Use perm or this anymore 

‘As mentioned befor, differant platforms naed diferent 
ways of accessing the information available in the kernel 
Inthe general cas ths requires the program tobe seid 
‘mem in order to read information such as CPU and 
memary information fom /=/in-=. Since making all the 
applications using LIbGTop or LibGTop isl selgid o-n 
's a ridiculously insecure idea, a diferent approach was 
Used. On platforms that require this, a special LisGTop 
server is being used. This program contains the system 
‘dependent cade that neds special pevlages and incase 
(of BSD, it's installed setgid 

The collected dala gots siored in C structures, the 

op sur for example. The brary’ s header fies declares 
{his stucture along with is members. Such as 

i fom paein NE panes i ea 9: Al 
of the stuctires that contain system data, abo have a 
special =. momber. This is used as a bilmask which 











sting 2 Aetreving tl amount ofmemary with LDGTop 
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TIPS AND TRICKS 


's the way LbGTop tolls callers about which folds of the 
‘ucture contain coract dala In athe words, using ities 
‘operations tha backends can condtionaly implement 
paris of the LibGTop API, called features. For example the 
‘peneric BSD backend code contains the fllawing piace of 
‘ade see Listing + 

Thus snail only be made visible tothe caller 
‘on FreeBSD, as it deosn't contain information on NetBSD 
(OpenBSD implemented m= later in its wn 
backend), This mechanism is simple, yet quite effective 


How touse it? 
Everyone knows how to use a bray; lear the API, call 
the API in the code and ink wth the library and thus 
Using LIbGTop is na diferent. As explained earlier, ts 
architecture i diferent from many brares since its 
tsing a server which actually retrieves data exported by 
tha kemel and passes ito our process. 

Here follows a trivial example in C to demonsrate 
retrieving the total memory currenty available in the 
‘machina (and visibe tothe kamal): se@ Listing 2 

‘This program canbe compiled with the folowing 
command (adding .. to the pkg-config command may oF 
‘may nat be necessary, depending on your platform: 





[As with every other C program, frst the headers need 
to be included, which is dane on ines 1 to 4. On line 
8 we declare the Variabia oo» which wil a contain the 
suture which will have the memory information for 
Us On line 9 we set up our connection to the privlsged 
server, as wel as oblain the features sunporiag by this 
platform. Next we finaly retrieve and store the memory 
Slatisics inlo the previously deciared =.. structure. 
This particular structure can have at most nine 
‘members depending an the currant platform backond. 
Fight now were only interested in the total, which is 
then printed in kilobytes before closing aur connaction 
withthe server 

This example works regardless ofthe operating system 
‘and architecture l'srun on as al the backends of LGTop 
Implement s:.0p aera. Of eouree # yOu ware to 
print one of the othar members, say siksor mn 
the results may difer between platforms due tothe way 
‘mamary is handed in thai keroos 
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Using 3. Avante exarpe 
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‘A more elaborate example isthe following which wil 
print the IPva/IPv6 address and some more information 
from the specified interface: see Listing 3 

‘Again compl it with: 











| worit hold yout hand and walk you through this 
‘example instead | would lito invite you to explore the 
API yourself, perhaps using the previous code as an 
exam. 


Gobject introspection 
[As of LIGTop version 2.28.3 GObjectInrospection (Gi 
GObject introspection homepage: hitp/ve,gnome.org/ 
Gobjectintespection) suppor was added. 

This allows programmers to use LibGTop from any 
language, using ony the C library and the introspection 
data. This makes it possible to write scripts in JavaScript 
with Seed to gather some quick statistics, as well as 
wating full bown monitoring applications with Python of 
ava. 

Object Introspection is tke the universal bindings 
to a library, provided there js a bridge between the 
Introspection GIR. and typelib data, and the targstod 
programmingiscripting language. For Python this is the 





Using 4 The cade ting 1 pried to Pytion and GObject 
‘intoipecon 
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standard package provided by vw ston along 
vith brary. Tagether these provide the packages 
to create and parse the GIR format as well asthe bindings 
for Glib, GObjact etc. These inerlaces are avaliable for 
‘many other languages, e.g. for JavaScript thera is seed 
and for Ruby there is yn. 

To give an example of Python using GObject Intro 
spection, analogous tothe fist C example the folowing 
scipt can be used: soe Listing 4 

This example needs na further explanation as ie 
Dbohavior is identical to the C program demonstrated 
eather 

| think that ane of the great advantages of GOtject 
Introspection is that ene doesn't need to lear another 
‘AP\ to achiove something with a lbrary one is already 
fae wth 








Portto OpenBSD 
Port's history 

‘The original LinGTep port was imparted back in 2001 and 
fist shipped with OpenBSD 3.0 as part of the GNOME 
“Li por for OpenBSD. AV this time the port was actually 
sing the FreeBSD backend which had many OpenBSO 
{and NetBSD and BSD, ete). blocks and as such 
the source was very hard to read and understand. It 
‘made the Emacs source code look peti! 

In 2003 a port of LisGTop 2.x was imported as part 
of the GNOME 2 platform which was stil using the 
FreeBSD backend. OpenBSD kept using this backend 
‘nil 2008 when LibGTop was released with @ generic 
[BSD backend, t waso't until May 2011 that OpenBSD 
finaly got ts own backend implementation, but more on 
this shart. 

‘Before 2008 the part was basically only there to easy 
the dopendency chain of ether GNOME ports. though 
‘one could use It 10 retrieve basic information, LibGTop 
fumed out to be vary unstable. Applications such as 
‘gnome-system-monitor would not work reliably for mere 
than a minuta before crasting due to LikGTop blowing 
‘up. The system information apples forthe GNOME panel 
Wouldnt work correc, gnome-netiool was unusable. 
Ergo, things needed to change and LibGTop needed to 
get fod 

‘The original LisGTop port for GNOME 1.x had in the 
‘meantime been removed (i 2007). Nobody bothered to 
{ic the new version, so wy keep the old one around iis 
only going to be rating away? No offense tothe people 
Who worked on the original port, but it was only marginally 
working 

‘So back in 2008 an update o 220.x was committed by 
Anlaina Jacoutat witha clear commit massage 
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And fixing it we dd, at least for a short while. ane fx 
‘and a year and a half later | committed an update to 
22ax 


Sometime in the beginning of 2010 Antoine started 
working on a part of gnome-netool and neal to say, 
te had to start fixing LibGTon (again). He commited 
‘boul a dazen free and thanks to his work LNGTop 
became much more stable and robust, At least good 
‘enough to import gnome-nettool and a week lator we 
Imported ghome-system-monitor too. Though i was sill 
rather unstable and wasn displaying all the correct data, 
but twas a start 


‘Standalone OpenBSD backend 
in May 2011 | decided to pickup work on LibGTop again 
and to finish I this time. At this point the generic BSD 
backend had bacome one horrendous piece of code thal 
was Bed tapether with lovely cn: Blocks tke 








‘And that's only a harmless, non-nested block! | 
‘ected to taka measures and fork the GSD backend 
Into a separate OpenBSD implementation free of iet 
blocks and a proper base to use to fx the remaining 
Issues. Having 2 standalone backend also made it 
‘much easier i submit, and eventually commit, patches 
Upstream af it wouldnt interfere with any of the other 
‘backends. Over the course ofthe nex! few waeks many 
bugs were squashed and issues fixed. Varying fram 
Implementing small IPV6 tweaks to fing erashers and 
correctly relieving CPU/memorylswapldiskinetwork 
cata 





Challenges 
Even though the curant por works great or at east close 
to i), was far from an easy rida. Some of the biggest 
challenges we ran into when doing this port were (in 
random onde 


+ Type juggling: As LnGTop needs to run on various 


architectures with many different ype widths. this 
‘posed a smal chalenge. Of course this is na iffrent 
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ftom any other program, yet it did bite us. Some 
machines (Ike amd64) had milions of megabyies of 
RAM, while 32-1 machines had negative amounts 
‘of RAM, which was rather odd to see. Though we 
quickly siagnased and fixed i. 

+ Changing API: Tha LinGTop API has been very 
stable, In fact, it hasn't changed at all since 2008 
when a new function was added. The challenge 
here was to keep up with changes in OpenBSD. 
While most things are just using the simple yon: 
interface, there are pisces of code, tke that in 

that actually needed a UVM-hacker in order 
to foc the code when OpenBSD switched to vmmap 
(anane@)s commit: ‘p:/mare.info/?'=apenbsd-¢ 
vs&im=1306250082230648w=3). Sadly the kernal 
patch was backed out shorty thereafter due to 
loss of memory address randomization, but it wil 
probably be commited again in time for OpenBSD 
53 

+ Unreadable source: AS | just described in the 
provious section, at one point the goneric BSD 
hackond saurces became complotly unreadable and 
very hard fo maintain and extend. Most of the code 
there was wrapped in various levels of 1: blocks 
0 maintenance became too hard and it was thus 
‘decided fo split away from the generic BSD backend 
[think his was one ofthe best decisions we made for 
this port. 








Current status 
think we can say, with certain pride, thatthe Lib Top port 
thas matured well. There ara stil some suas we need 
to adress bul generally it works very well on OpenBSD. 
‘One ofthe issues tat exist a of wring tis arte is that 
We stil dopend on caling the external ss) 1 get alist, 
fof open flea: this needs 9 be migrated t0 ei. Alea, 
‘wall nd ta do some extensive crase-arcitecture tasting 
{ensure there are no more ype-casting bugsin he code 
and we that get correct results on ll the architectures 
‘Open BS0 suppots, 





Conclusion 
In this article 1 have tied to give an overview of 
GNOME’: LibGTop project in which I've been actively 
Involved on both sides; belng an OpenBSD developer 
working on the port, as well as having committed to 
the LINGTop repository. As such I've given a bref 
overview of how LibGTop works and a description of 
the Open’SD port 

In my opinion LixGTop is a good example ofa potable 
project hat works wellin the madam dasktop enviranment. 
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In the past fow years there have been various lowloval 
projects that claim tobe portable and lightweight. Although 
Incealty thy tand ta have ether one big dependency (the 
Linux kernel) or they require massively intrusive changes 
to the targeted operating system kemel. Prime examples 
are systomd, HAL and gudev, respectively. 

LixGTop solved this by having operating system 
Independent backends which implement LibGTop's 
features using the operating systems own interfaces. 

‘Over the past fo years the OpenBSD port of LisGTop 
has seen some major improvements. Fram a lary that 
vas baslealy only there to complete the dependency 
chain and wasn't doing much good: ta a fuly functional 
lbeary that is well supported upstream tno, Of course 
‘hare is alvays room for improvement, but wee geting 
‘hare and Openf'SD's upcoming 5.0 release wil finaly 
have a stable ibGTop! 

| would lke fo thank the gnome@FreeBSD.org team, 
and Joe Marcus Clarke (marcus@FreeBSD.or) in 
particular, for thir continued efforts to improve GNOME 
{and thus LibGTep toa) on FreeBSD. Various bits of 
‘cde and patches have bean merged from the FreeBSD 
LibGTop por into the OpenBSD port 

Finally | would ik to thankmy flow GNOME-maintiner 
In OpenBSD, Antoine Jacoutat (ajacoufot@®OpenBSD.o%a) 
with whom Ive shared several years af tough challenges, 
‘but most of all laughter and joy as a cect result ram 
working on GNOME and OpenBSD. 


JASPER LIEVISSE ADRIAANSE 
Jasper levis Adrlaanse hasbeen an OpenBSD develope since 
2006 and GNOME committer sine June 201. Since getting hs 
‘ccount he hasbeen commiting minor and maor contributions 
to basicaly ll areas of OpenBS0, as well as portbilty fies to 
various GNOME projects. When he's not working on OpenBSD 
(etter proesionlly or ax hobby) he has a heen Interest In 
embedded system design/pogramming es welas traveling and 
aking 
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to BSD magazine, share 
your knowledge and skills 
with other BS) users - 
de not hesitate - read 
the guidelines on our 
vebsite and email us 
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_ Become BSD magazine 
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SECURITY 


Protecting Apache 


From Dos And Ddos Attacks 


DOS(Denial of Service) or DDOS (Distributed Denial of 
Service), it is an attack where multiple compromised 
systems (which are usually infected with a Trojan) are used 
to target a single system in attempt to make the system 
resources(cpu,memory,network) unavailable to its intended 


users and causing system to crash. 





What you will learn... 
‘What doa dos atack 

Instaling and congue mod evasive for apache22 in ade to 
protect your webserver ram dos dos araks 





What you should know... 
sng ver nano apc or any ext tor 





‘hat will help you protect your webserver from dos or 
cidos attacks 
‘The madule i am going to use inthis tutorial is called 
Is a module as’ said abave for Apache, and 
its purpose is to provide evasive action in the event of 
fan HTTP DoS of DDaS attack or brute force attack. 
‘also designed ta be a detection foal, and can ba easily 
configured to talk to ipchains, firewalls, routers, and 
Detection is performed by creating an intornal dynamic 
hash table of IP Addresses and URIs, and danying any 
single IP adress fram any ofthe following 


| this tutorial | am introducing you an apache module 


Figure 1 Fnshng apache mod evasveisalotor 
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+ Requesting the same page more than a few times per 
second 

+ Making more than S0 concurrent requests on the 
same child per second 

+ Making any requests whila temporal blacklisted (an 
a blocking list) 


‘This method has worked well in both single-server 
crip attacks az well ab disbuted altacks, but just 
like other evasive tools, Is only as useful fo the point of 
bandwidth and processor consumption (ag. the amount 
‘of bandwidth and processor required to racevelprocess 
respond ta invald raquests), which is why Ws a good 
idea to integrate this wih your frewalls and routars. 





Installing 





Figure2. Apache pcan modes enable module 


Troi ened 


Find ne Make It witetable 52 mod_evasive can write insida this 
folder 
‘And change ito restart apache lo activate the module 
Note 
‘Save the fle and ext vi (using command). Create You can mosiy the config of. according to your 
config fle neds 


‘Now to teat iti 





working create this small script 


‘Copy and paste the above text ta the file 


Create mod_evasive log dir 


Save itand clase the file. Now cun the sctint 
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4. Apachelog showing des tack 


SECURITY 


And if you will see figure 3 that means is running 
perfectly and blocking dos or dos attacks. You will also 
{get mal if you running mail server on the pc with the 
allacker ip. Now run 





Now in apache i 
In folder = mmr 


you will see Figure 4 and 


you can see the blocked ips 

Now lets une a litle bit our system for dos attacks. 
eat s¢ using «: oF any editor and add the 
values 





set defines the Maximum Segment Life 
‘This is the maximum amount of time to wait far an ACK 
In reply to a SYN-ACK or FIN-ACK, in miliseconds 
ifthe computer does nat receive an ACK in this time, 
it considers the sagment lost and frees the network 
ccannection, 

This has tw implications. When you are trying ta close 
‘ connection, tha final ACK is os or delayed, the socket 
wil losa more quickly. However, if a cent is trying to 
‘open a connection ta you and their ACK is delayed more 
than 7.500 ms, the connection wil not form. RIC 753 
defines the MSL as 120 seconds (120,000 ms). However, 
this was writin in 1979; timing issues have changed 
slighty since then. Today, FreeBSD's defauit fs 30,000 
ims, This is sufficient for mast conditions, bu for stronger 
DoS protection you can lower this to 7,500 o less 

ofines what happens when the 
system receives a TCP packat on a closed port When 
sel to 1, SYN packals anving on a closed port wll be 
dropped without a RST packet boing sent back. When 
sel fo 2, al packets arriving on a closed port are dropped 
without an FIST being sent back. This saves CPU time 
bbacause packets don’ nead as much pracessing, and 
‘outbound bandwidth, by not sending out packets. 

nt torapartels fOB8MDIGS ont -n-top 
ins function, As the UDP protocol does not have states 
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lke TCP, there is only one choice when it comes to 


ropring UDP packets. When packs 1 
4, the aystam wil drop all UDP packets that arrive on 2 
closed port. 

The name = fe somewhat 


‘misleading. This cootrs the maximum number of ICMP 
Unreachables and also TOP RST packets to retum every 
‘second. It helps curb the effects of attacks that generate 
alo of reply packets. 

é fsenes Smits the maximum number of 
concurrently open sockets. The default here is just 128. f 
‘anattacker ean food you witha sufeiently high number of 
‘SYN packs in a short enough period of time, he can use 
Lup al of your possible network eannectons, sucessfully 
denying your users access tothe service. 

‘You may ind these setngs to be either toa aggressive 
fr not aggressive enough. Tune them until you receive 
salstactory results 

Now your server if litla mare secure againet dos and 
ddos attacks, 
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‘ephdstidentin research area of deta ising wth applications 
to computer security In tne Systems, under the supervise 
of Ausocate Professor Alexandros 5. Karakes, and alse he is 
‘edministrotor of LDP Lab In Democritus Universty of Thrace 
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The Inevitability of 


IPv6, Part 1 


A switch from IPv4 to IPV6 is on your horizon. Are you ready 


for it? 








What you should know. 
+ Baie TCP knowledge 











IPvd.IPV6 offers many benefits necessary to support 
the inlemet’s continuing expansion ~ most notably 
an expanded address space that overcomes pressures 
In regions such as Afica, Asia, China, and the Middle 
East Temporary soluions such as Network Address 
Translation (NAT) ~ although effective in the short torm 
— won't provide lang-term help. Recognizing that IPVE 
Is the future, many governments are mandating that 
theie systems and networks support IPV6, including 
the US government. If your company does business 
with entities that use (or plan to use) IPv6, youll 
feel the pressure to support 1PV8, if only to support 
communications belween your company and your 
partners. Simply put, IPv6 might become a competitive 
advantage, 

In this fist part of a three-part series, | describe IPv6 
addressing in detail, focusing on how its addressing 
‘scheme works. | alsa describe some ofthe new features 
(Of |PVG, as wal as some of the reasons you should care 
bout it~ even if you don't plan an implementing it in 
the near future. In two future articles, I describe how 
to configura interfaces with addresses and enable ONS 
resolution. I'l also describe in detal how to configure 
your systems and networks to use IPV6 and IPvt 
fogether while you transiion to an allIPV6 network 
Final, 111 ook into strategies for using IPv6 over the 
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| PWG isthe set of protocols that will replace today's 





IP v4 Internet if your ISP doesnt support IPV6. But frst, 
we need to lay down a foundation. 


BSD Support for 1Pvs 
[Almost every modern OS supports IPV6 out af the box, 
{and the BSD fam of operating systems is no diferent 
IPV6 came to BSD through the KAME project, which 
Was a joint effort of six organizations in Japan with the 
faim to provide a free IPVB and IPSec (for both Pv 
{and IPyB) protacal stack. If you are a history butt tke 
‘myself, you will want to Chapter 1 in (PV6 Core Protocols 
Implementation by Qing Li, Tatuya Jinm, and Keiichi 
‘Shima 

Because ofthe significant internal differences betwaon 
IP v4 and IPv6, some of the lower level functionality 
available to programmers inthe IPV6 slack do not work 
‘identically with [Ped mapped addresses. Some common 
IPV6 stacks do not support the IPvé-mapped address 
feature, either because the IPV6 and IPv4 stacks are 
separate implementations (a.., Microsoft Windows 
2000, XP, and Server 2003), or because of security 
oncems (OpenBSD). On these operating systems, 
‘tis necessary to open a separate socket for each IP 
protocol that isto be supported. On some systems, e.g. 
the Linux kemel, NetBSD, and FreeBSD, this feature is 
controled by the socket gption sso: vucsy as specitied 
in RFC 3492, 
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IPv6 Addressing 
IPvG gives you a whale naw means of uniquely addressing 
2 node (or and system). in IPV6, there are 128 bits 
avaliable to uniquely identily @ node. IPv4 offers 32 bits, 
for a total of mare than 4 Bilion possible combinations, 
but far fower are practically avaiable because of the way 
adcress space has been organized. With 128 bits, well 
have sufeiant adéresses for the next mileanium ~ even 
civen the way addresses are allocated 

Before | discuss the allocation and use of IPyG 
addresses, i's helpful to understand the format that’s 
Used to represent them. Whereas IPv4 uses a dotted- 
decimal systom (og, 192.168.16.10), IPV6 uses a 
ttferent format An IPvG address is spt into eight 16-4 
blocks: Each block is represented by four hexadecimal 
igi, and each block is separated by a colon (.)— for 
example, 201::000-200-0 aes. Within 
teach block, leading zeroes can be omiled so that the 
‘address can be read as 

ns, Also, blocks of zeroes can be omited, so thal the 
addross can be further simplified ag 21:0 

‘Nate the use of the double colon to represent 
the blocks of zeroes. If you have mare than one black 
fof consecutive zeroes in an address, only one block 
can be omited. (Otherwise, it would be impossible to 
reconsiruct the original address.) 

Current, toe types of IPV6 addresses can be 
allocated {0 a node: unicast, multicast, and anycast. A 
tuncast address uniquely identifies a single interface (or 
‘etiwork connection) on a node (ar a vital interface on 
Clustered systoms). A mulicast address is similar to an 
|Py4 multicast address and can be shared by several 
Interfaces on several nodes. A packet with 2 multicast 
stination address is delivered to all ntrfaces on all 
odes that share the address. However, a packat with 
fan anyast destination address is delivered to only ana 
Interface: the nearest interface tothe sending interface. 
FRogardiess of type, the address Identifies an Interface 
fon a node — not the node isa. A node wil likely 
have mutipla [PVG addresses, even if has only one 
interface, 











Unicast Addresses 
rach interface can have more than one unicast address 
‘Aunicast address can be an Aggregatable Global Unicast 
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‘Addross (aka global adress), or a LocalUse Unicast 
‘Asda. 


Global address 
‘A lobal address is unique to the interface its assigned 
fo and can be used foreach that interface from any other 
Interface, Global IPv8 adtressas are hierarchical and 
Contain routing information. Figure 1 shows the format 
of a global adeross. A unicast address's fst three bis 
called the Forma Prefix (FP) ~ are always 001.FPs can 
be of varying angth (e.g, the multicast FP is eight bis 
‘in length). The next thirteen bits comprise the TopLevel 
‘Aggregation Identier(TLA ID), This 1D i allocated o top 
level ISPs, af which there can be 8,192 

Next inthe address is a reserved field — eight bits in 
Jength and designed for fulure expansion of the TLA ID. 
“The next field inthe address, the Naxt-Level Aggregation 
Idantier (NLA ID), ¢ 24 bien lang an is used by the 
top-lovel ISP to organize networks or lo support second 
tier ISPs, each of which would have one or mare NLA IDs 
assigned to them, 

‘These combined 48 bits uniquely identity a ste 
bbolonging tothe top-level or second-tier ISP's customer. 
‘Sites are determined by geography. For example, an 
inernational company might hava many sites. Each 
‘tes IPvG connaction will have a 48-bit address unique 
{o the site. Each ste can use the next sixteen bits in the 
address — called the Site-Level Aggregation Identifior 








wae * 
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(SLA ID) —to divide the site into subnets. Each site can 
have 69,535 subnets. Alternatively, if a company has 
‘multiple sites but only one [Pv6 connection via an ISP, 
itcan use the SLA ID to route between the sites and to 
the connection. The last fel inthe global address is the 
Inerfaco ID, which is 64 bts in length. This felis silar 
to IPvt's host identifier, which uniquely identifies the host 
fon the network. 





Local-Use Unicast Address 
‘There are two types of Lacal-Use Unicast Addresses. 
‘The first is called link-local address, which is used to 
‘communicate between interfaces belonging te nodes on 
2 single ink. The second is called a sitelocal adcross, 
which is used ta communicate between Interfaces 
belonging fo nodes in a site. Both are Viable atenatives 
te @ global adéress, depending an the scope. Figure 2 
shows the scope of lnk and a st, 

Linkocal adkiressing is similar to IPvl's Automatic 
Private IP Addrassing (APIPA)(]. Link-local addresses 
begin with an FP of FEO: —the last 6 bits ofa inklocal 
‘adérees are the Intarface ID, and the bits in between the 
FP and the Interface (D are zeroad out. As with APIPA, 
linksocal addresses are auiomatically configured without 
the need for @ DHOP server or manual configuration In 
fact, every IPV6 capable interface automatically has a 
link-ocal address configured fori. fyou have any nodes 
fn your network that support interfaces with IP¥6,they'l 
have link-local address and might be sending packets 
onto your network as part of Neighbor Discovery. Two 
fades onthe same lnk with inlerfaoas that support PVE 
wil automaticaly be able to communicate with each 
‘ther, without any furler configuration oF managemsnt 
However, communication using inklocal addrosses is 
rastricled 10 2 link ~ IPvG-aware routers should naver 
forward packets with link-local source or destination 
adcresses, 

Site-local addresses are similar to the IPvt private 
adesses, which have the network identifiers 10.0.0.0/ 
8, 172.16.00/12, and 192.168.0.0/16. Sitedocal 
addresses always begin with an re of re. AS wih 
linkocal addresses, the last G4 bite of the address 
‘comprise an Interface 1D, Tha lower 16 bits of the top 
64 bits called the Subnet ID field — uniquely identify 
subnats in the sila, the same as the SLA ID field in a 
Global address. The bits betwoen the FP and the Subnet 
ID field are zeroed ut 

IPV6 uses two special constant addresses. The fist is 
called the unspecified address and is always set to 

fr just: for short. This address ~ similar 
adcross “functions as a source 





to the (Pus 
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address when no other address ie avaliable (@.9. 
whan requesting an IP address from an IPvB-capable 
DHCP server). The second address is the loopback 
aciiress and is away ‘or simply 
‘his address — equivalent to the IPv4 loopback addrass. 
127.0.0.1 ~can be used for local testing of applications 
and configuration. Every interface will respond to the 
loapback adress. 


The interface 1D 

“The Interface ID in @ unicast address is alvays 64 bits in 
fength I was designed this way to support 48-bit MAC 
lacdresses of current 802x LAN technologies such a= 
Ethomet, and wireless technologies such as Blustooth 
and WEF, as well as the 64-bit addresses that FraWire 
‘uses, Fulure 802.x series LAN and wirless technologies 
will also use 64-bit addressing. The requirement to 
Support 48-bit and 64-bit MAC addresses comes frm 
the roquirement thatthe interface ID ina unicast address 
‘can be darivad from 2 MAC address using an Extended 
Unique Identifier (EUI) 64 address. The Interface ID can 
‘also be assigned manually or by an IPv6-capable DHCP 

In the mast common scenati, the Inerface ID is 
rived from the 48-bit MAC address of an Ethernet 
card. A 48-bit MAC address is split into two 24-bit haves. 
“The IEEE assigns the fst 24 bis to manufacturers. The 
‘manufacturer uses tha second 24 bits to uniquely identity 
the card. Although i's possible to override the MAC 
laress of an Ethemet card, lel's assume that it hasn't 
teen overridden, To convert a 48bt MAC address to 
{64-bit Interface ID, the system first copies 24 bits of the 
MAC adress tothe fit 24 bts ofthe Inertace ID. Bits 17 
and 16 ofthe frst 24 bits representing tha manufacturer 
(reading from right tole, staring at 0) ae always sat to 
(0. During the copy. the syslem sets them to 10. After 
the 24 bits are copied over, 16 byles are added, and 
they ee always sare. The system than copies 24 Bits in 
the second half f the MAC address to produce the 6-bit 
Interface 1D. 

In dialup scenarios, the Interface ID can be generated 
using a process designed to guarantee the anonymity 
Of the user. f not for this provision, @ system could be 
‘racked as it used the Internet, regardless of the ISP used, 
‘because the Interface ID would be unique tothe computer 
ragardoss ofthe ISP. 


‘Multicast Addresses 
IPV6 multicasting is similar to [Pv multicasting. A node 
that wants ta listen for multicast traffic wil set the IPy6 
address ofan inerface tothe multicast address thatthe 
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trafic ie being sent to, Mulicast addresses have an FP of 
“The net four bits of the multicast aderess comprise 
the Flags fel 
‘The lowest bit inthe Flags fad is called the Transiont 
fag, If set to 0, the multicast address fs a wall-known 
address set by IANA, if sotto 1, its a non-permanent 
fF transient multicast address, The next four bits of 
the multicast address comprise the Scope field. The 
purpose of this field ie to identity the scope af the 
‘multicast trafic, and to identity the traffic as node- 
local, Iinkocal,ste-ocal, erganizatan cal, or global 
Routers use this field to determine whether to forward 
trafic. Tha as fel inthe multicast address isthe Group 
1D, which is 112 bts in length. The Group ID identifies 
the multicast group. As with unicast addresses, there 
fare predefined multicast addrasses. Table 1 lists the 
three mast comman ones 
When using multicasting in IPV6, you should use only 
‘ha bottom 32 bts ofthe Group ID eld and zaro out the 
top 80 bits. Doing so eases conversion support of the 








mmuticast addrass fo an Ethemat multicast address, An 
Ethamet multicast adress takes the frm 

Using the recammended muicast addressing forma, 
the boom 32 bits af the Group ID create the Ethemat 
muleast address 

IPV6 also uses multicast addresses to support link 
adress resolution. Every interface adds a multicast 
‘address foreach ofits unicast addresses. The multicast 
laddvess takes tha form som. The systom 
copies the last 24 bits of the unicast addrass to the 
multicast address to replace the ass... The systom 
then maps the PVG multicast address to the MAC 
multicast address, as descnbed above. This scheme 
reduces the number of nodes that have to process 
address-resolution requests. In IPvf, when one node 
wants 1a obtain anathar node's inlerface MAC address 
the system sends a broadeast massage tothe broadcast 
MAC addross. Therefore, every interface on the link is 
forced to process the request — even if isnot intended 
fori In IPV5, @ nade that wants to find another node's 
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Table. common redefined Mutat Addresses 


Nodes scope for al nodes 


rasa ‘iteloa scope forall nodes 
Interface MAC address will send a broadcast message 
to the multicast address rott:er-cvan, WHEE nesnnne 
's the bottom 24 bits ofthe interface ID. This, in turn, 
is translated info a MAC multicast address ss er:on 
sens Only those interfaces an the link with matching 
lower 24 bits in their Interface ID need to respond tothe 
address-resolution request. 


1Pv6 Features 
‘There's more to [PVG than simply an expanded address 
space. IPyi includes @ new header format, improved 
support for extansions and options, fowlabeling 
capabities, and authentication and privacy capabilites 


‘New header format 
IPvG's naw header format minimizes the averhead often 
‘spent processing fields or Information in packet headers. 
in tPv4, routers and end systems are required to examine 
Packets in deta. ooking for information nacessary to 
determine whether the packet shouldbe processed further. 
With IPv8, you'l naw find those fields (when required) 
alter the main packet header in Extension Headers. The 
‘new header formal makes header processing much more 
fffcient at routers, which can ignore information in any 
Extension Headers withthe exception of a Hop-by-Hop 
Extension Header which must immediately fallow the 
IPv6 header, The Hop-by-Hop Extension Header might 
contain information necessary for a router, such as a 
warming that a packat is a Jumbo packet (greater than 
65,55 bytes), or that a router must perform adiional 
processing on the packet, 


Improved support for extensions and options 
‘The change in the [Pv6 packet header format and the 
Use of Extension Headers facilitate this new feature 
(Options in Extansion Headers have fewer limitations on 
size than in IPv4, and IPV6 is extensible by adding more 
defined Extension Headers overtime 

In IPv6, if a destination node receives an IPV6 
packet containing an Extension Header that it doesn't 
Fecognize,itinferms the source nade via Interet Contr 
Message Protocol version 6 (\CMPv6) that it can't 
process the packet. This feature lets nodes implement 
IPv6 extensions independently of each other and stil 
communicate 
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Flow-labeling capabilities 
IPV6 uses flow labeling for Quality of Service (QoS). Flow 
labeling lls a source node define a pron (e.g. real 
time), which might be used in Voice over IP (VoIP) or 
Video-over IP solutions la guarantee delivery of a packet 
Within 2 certain ime window. In IPv4, QoS often requires 
2 router oF node to look beyond a packet's header for 
Information. In IPV6, all necessary information isin the 
header. 


‘Authentication and privacy 
IPve's authentication and privacy capabilios ae, 
fssentally, IPSec. IPSec is now a roquirement in 
IPG implementations, whereas in IPyé ils an optional 
‘component. IPSec supports Authenticated Headers, which 
authenticate nodes to each other and ensure the inlagry 
fof data exchanged between them, and Encapsuiating 
‘Security Payload (ESP), which has similar functionality but 
‘als includes the abit to encrypt data for coir. 

nike IPvs, in which efferent implementations of the 
protocol y diffrent vendors could —and would — result in 
fn inability of nodes fo communicate with each other, in 
IPV6 interoperability is almost guaranteed, thanks tothe 
Lunderiying standards 


Stay Tuned 

‘We've ony just start. Now that youve got some sos 
foundational tnowledge about IPV6, yout primed to ive 
ito the actual configuration and use ofthe protocol. Get 
ready to make it work on FreeBSD and PC-BSD, and 
‘prepare yoursel fr configuring ilerlaces with addresses 
land enabling DNS resolution. In Part 2. talk about how 
to enable PV6 and [Pvt introperabilty on your way to an 
AIPV6 network 


Footnotes 
Both \Pvt and IPVG have standard methods for address 
auloconfiguration, For nk-local addressing [Pv uses the 
Special block 169.254.0.0/16 as described in RFC 3927 
while IPV6 hosts use the prefix sx. Some books 
land documentation refer ta this as Zero Configuration 
networking whle Microsot refers to this as Aufomatic 
Povale IP Addressing (APIPA). The APIPA name has 
‘stuck aver since, 


PAULT. AMMANN. 
Paul lives In New Firld, CT with his wife Eve and ewo cats 
He recently converted fom Linu to OpenBSD although he stil 
‘mlssesbis 7199/4 and Timex inca 
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The Inevitability of 


IPv6, Part 2 


Configure IPV6 in your network— even if your routing 


infrastructure doesn't yet support it. 








What you should know... 
+ BaicTCP knowledge 





| maintainad in The Inevitably of Pv, Part 1 
evan f you have no immediate plans to migrata to 
|Pv6 in your enterprise, you need to be ready for 

it and you need to understand how FreeBSD uses it It 

you communica regularly wih business pariners over 
the Internet, you might be forced lo tackle IPV6 because 
many companies are already baginning to make the 
transiton. Increasingly, governments — including the US. 

‘goverment — are mandating its use, 

In Part 1, 1 descnbed how the BSD family of 
‘operating systems are supporting Pv, and | provided 
an overview of how IPv6 addressing works. Be 
Sure you're well-versed in that article's foundational 
Information before taking the plunge into this article 
Now, without further ado, les investigate how to enabla 





and configure IPV6 in FreeBSD and how to use IPVE 
to communicate — even if your routing infrastructure 
doesn't yet support it 





As | explained in Part 1, the BSD family of operating 
systems come with IPV6 installed and running. For this 
’be using FreeBSD 8.2 that has been updated 
‘and palched using portsnap. Let's get oi 
‘The FreeBSD kernel is already [PvS enabled. You can 
‘manually able IPv6 by adding the folowing ine tothe 
/ta/n-ene onfiguation fle: 
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‘You can manually start the appropriate re script (or 
reboot the systam) forthe changes to take affect: 


‘This wil enable IPVE on all interfaces that are IPv6 
capable. This behavior is changed by modifying the 


fallowing variable in the Jonson fl 








his wil enable IPv5 support on specified interfaces 
“The detaut value fr this variable is auto, 

‘Once you enable IP, interfaces wil discover the 6 
‘enabled routers on the network and Built their own IPVG 
addresses based on the network prefix they receive fram 
the router, 





Configuring Interfaces 
Ina typical scenario, IPvG network stack wil automatically 
Jack for an IPVG enabled router on tha sama network for 
‘each interface and try to automaticaly configure the IP¥6 
areas onthe intrace. 

The folowing is an example of an automatically 
configured interface: Listing 1 


sar0n1 
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Beside the Pv4 adress, there are two IPv6 adresses 
fon the interface. One adiress begins with sow: and 
Idontifod with the yes on tag, which is called a dink 
focal adcress 

‘The unicast address pref is obtained from the PVs 
rautar onthe network. The whole address is created using 
‘ha 64 bits Extended Unique Identifier (EUI-84) algorithm, 
which consist ofthe hosts MAC address with sam minor 
‘madfeatons. 

“The nclocal adéross (thats fom the reserved address 
ool) always with cis:- and is used for local netwerk 
Usage. This can be compared with RFC 1819 privata 
faderesses that are sulable fr local use. The newark 
Stack wil automaticaly assign a inlocal address to 
each IPV6 enabled inlarface,regardiass whether an IPvE 
raver is discovered on the nehwork. This means that in 2 
seanato of a home network or a lab network, you dont 
eed fo run an IPV6 router or have a valid IPV6 prec in 
Corder fo establich an IPVE network. All the hosts wal be 
‘auomatialy provisioned witha linkocal address, ga they 
fan exchange IPv6 trafic 

“The network discovery protocol (NDP) helps the host 
find the router on the network and then create a unicast 
‘aderess forthe interface, NOP is known as the equivalent 
to the ARP protocal in IPvB. The dp) usiy i used to 
contal the behavior of his protocok Listing 2 





‘The above example shows the discovered IP¥6 hosts. 
‘The em0 interface is connected to an IPVS enabled 
network and receives a valid prefc via a router (the frst 
entry of thelist) 

‘The second entry isthe unicast addross of the =. The 
third and fourth enties are Inklocaladeress forthe ruler 
and our hast. 

‘As you have seen so far, there are some special 
(reserved) PVG acirasses. The following table shows 3 
listo reserved adresses Table 1 

In case you want o configure the static IPv6 askrass an 
an interface, fea be done as ina typical IPvd cena 
sting 3 

This will manually configure an IP address on the 
spectiod interface. Nota the prefiden keyword that is 
‘equivalent to subnet maskin IP. 





Routing IPv6 
‘Similar to IPv4, your host doesn't automaticaly forward 
IPV6 taf botween interfaces, by dfaull. In order to 
‘enable packet forwarding batween the two IPvB enabled 
Interfaces, you should modify the. 
syscll variable 






































Using 1 An example ofan cutamatialy contiued inate 
sting 2 Then unity 
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“Tablet Litre Pv odds: 
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(80: Linkloal 
feed: Steed 
foo: Mulucat 


This can also be achioved by adding the folowing 
variable tothe fil: 





‘After enabling IPV6 forwarding inthe fle, you 
‘should reboot your system or un relevant re script 


The seis) daemon le another component that 
you may want to enable on an IPS router. As 
‘mentioned earler, the hosts aulomatically configure 
the IPv8 addresses on thelr interface, based on the 
advertisements they receive from the IPvS enabled 
rautars on the same subnet. These advertisements are 
callad Router Advertisement (RA) packets. The sui) 
‘daemon sends router advertisements on the spectiod 
network inlerfaces. helping hosts to automatically 
configure IPV6 address on their interfaces. This is 
‘done based on the IPV6 prefix it advertises, as well as 
denttying itself as the gateway forthe network 


To enable -saisis), add the folowing tines to 
(ensuring that your host is also configured to 
forward 1Pv6 taf): 





Note 
Make sure that you only enable transmission of RA 
packets on interfaces thal you need to do. This ean be 
done using the... + variable, 

Now you should create = configuration file for the 

daemon. This fle controls the behavior of the 

Seu) daemon. The sais daemon reads 
‘Upon start up, te find aut haw it should send RA packets, A 
‘sample <n. fle looks the the following 


“This tolls aso to advertise itself as a router for subnet 





Please see the 5) man pages for more 
Jinformation about various options that you can us@in this 
configuration fe. 


Note 
Itwould be 2 good idea to use the os 
the RA packets are being sent 
Please note that inthis case your machianis configured 
‘a8 a router and nota host whieh has a special meaning in 





uly to seethow 

















sting 4A sample tunnel setup 








Using 3. ThelPot scenario congue thstanc Pv addess onan terace 
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|PV6. In IPv6 terminology, 2 host isa machine thal sends 
Router Solctation messages or listen for RA packets to 
figure out lis IPV6 adress configuration as well as its 
‘gateway. On the other hand, a roulr is a machine that 
sends RA packets and is able to forward packels tothe 
‘correct destination, 


RIPv6 
FreeBSO has bui-n daemons that support RIPVI and 
FRIPV2 for IPvt and RIPng or RIPS (RFC 2080) for IP. 
“The routing daemon that supports RIPE i =... 

“The sown) daeman is almast equivalent o ts Pvt 
counterpart and can be enabled by seting the folowing 
Watiable inthe jose la: 





Multicast Routing 
‘The ability to route mutcast walfc in FreeBSD is available 
using thie-party software that can be used from the 
Ports collection. The oot jxset-nn1 port allows Protocol 
Independent Multicast Sparse-Mode (PIM-SM Version 
2), PIht-Source-Spectic Multicast (SSM using PIV-SM), 
‘and Pratoco! Independent Muticast Donse-Mode (PIM 
DM Version 2) routing. Once installed, the functionality is 
enabled by adding this line to 








‘Tris wil automaticaly enable the nisi) (dense mode) 
aceon. f you are planning to use =n (Sparse mode), 
you should alsa add he following tne ta oso =n 








Tunneling 
“There are crtan cases whore you want to setup a tunnel 
to transport IPVB traffic aver your existing [Pv network. 
‘This can be a site-tosite VPN between twa IPVG enabled 
networks, of gating IPV® connectvly to an IPVG service 
provider There are diferent methods by which you ean 
fel up such tunnels. The most popular methods are 
kh Santa) ado) 
GIF Tunneling 
There are chances that you don't have native IPVO 
connectivity to the Intemet. In that case, you ean sil 
sel up a non-native (lunneled) IPv8 connection to the 
Intemet. 

“There are several services that affer tunneling to IPvS 
networks, such as winw.sixs.net. The only Hing yOu 
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‘should dois to sign up for such a service and sat up a 
funnel according to thelr instuctons. 

This is mosty done by encapsulating IPv6 trafic over 
25.) tunnel that is established over IPv4 to the other 
fond. In most cases, setting up such connectivity is prety 
‘Staightforward 

‘Asample tunnel setup would look ike this: Listing 4 

Inthe above example, ay. interface is created and 
established between =... (your IPv4 address) and 

(your tunnel broker's [Pw address). Then you 

should assign IPV8 addresses t the tunnel inthis case, 

ier 2 is assigned to your sie ofthe tunnel 

and to the oer side of the tunnel. 
‘The ltr is used as your IPG gatoway as wel 

The ticky partis setting up a default gateway forall 
IPVS trafic fo the other side ofthe tunnel, which is dane 
Using the <a» command (note the sn ag) 

‘Once you hava finished setting up the tunnel, you may 
want io tast your connectivily by pinging the other side of 
the tunnal 


Summary 
FreeBSD has had 1PV6 support in the base operating 
system since its eary versions. This support has become 
‘more mature in recent releates. Since we cavered basic 
‘configuration for IPVB in his artic, you may want fa do 
‘mare complex things that are not covered here. There are 
afew useful and up-iodate resources that you can find on 
the Intaret — one of them being the FreeBSD handbook 
section an IPVE and JPV6 Intemals in the developers 
handbook. 


PAULT. AMMANN. 
‘Paul lives In New Frld, CT with his wife Eve and two cat 
‘He recently converted from Linu t OpenBSD although he still 
‘mlssesbis 7199/4A and Timex inca 
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6 until 9 October, 2011 
Meeting Plaza, Maarssen 
“res Gaceiee ELS 
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10th European BSD Conference 
http://2011.eurobsdcon.org/ 





What has your server vendor done for 
BSD lately? Probably, not much. 
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